[00:00.880 --> 00:02.920]  Alright, so next talk on the list,
[00:02.920 --> 00:08.960]  You're Not The Money Printer, or Why We Should Separate Coinbase and Non-Coinbase Rings.
[00:09.200 --> 00:14.880]  So, during the talk today, I mean, this talk might not take the full 30 minutes,
[00:14.880 --> 00:18.680]  but one thing I've been really passionate about over the last few years
[00:18.680 --> 00:24.880]  is the idea of treating Coinbase outputs differently than non-Coinbase outputs
[00:24.880 --> 00:29.360]  because people typically spend them in different ways.
[00:29.360 --> 00:32.340]  So, ultimately, I made the joke of You're Not The Money Printer
[00:32.340 --> 00:35.480]  because I'll cover who actually prints these Coinbase outputs,
[00:35.480 --> 00:37.580]  whoever handles or touches them.
[00:37.620 --> 00:41.200]  And I'm also going to be keeping a note of the live chat,
[00:41.200 --> 00:44.340]  so I will be able to answer questions on YouTube.
[00:44.340 --> 00:46.660]  Hopefully, the quality is working well for everyone here,
[00:46.660 --> 00:48.480]  and the stream is going really well.
[00:48.480 --> 00:49.760]  Lots of really good talks today.
[00:49.760 --> 00:52.960]  Thank you, Daniel Kim, for everything you did on the slide before.
[00:52.960 --> 00:56.340]  So, first, let's get started about what...
[00:57.420 --> 01:03.080]  Let's first cover, you know, what is an output period, right?
[01:03.160 --> 01:06.500]  So, outputs are simply piggy banks.
[01:06.500 --> 01:07.980]  I heard this example from someone else.
[01:07.980 --> 01:11.220]  I can't take credit for considering outputs piggy banks.
[01:11.220 --> 01:18.380]  I previously have called them pots of gold or bills or many different other things.
[01:18.380 --> 01:23.340]  But I like the idea of you taking an amount of money,
[01:23.340 --> 01:26.040]  you put it in a container, this piggy bank,
[01:26.040 --> 01:28.580]  and then in order to spend this amount,
[01:28.580 --> 01:31.180]  the receiver needs to break open the piggy bank
[01:31.180 --> 01:35.280]  and put it in a new output, a new piggy bank.
[01:36.120 --> 01:37.820]  They are single-use.
[01:37.820 --> 01:39.160]  So, unlike the pot example,
[01:39.160 --> 01:42.040]  it definitely stresses the idea of these being single-use.
[01:42.040 --> 01:48.300]  You cannot continue to keep, you know, putting these outputs elsewhere.
[01:48.540 --> 01:52.960]  So, as a result, an output you can think of just as a container of money.
[01:52.960 --> 01:55.480]  It's a really horrible name, output, honestly,
[01:55.480 --> 01:59.800]  just because, you know, there's many things that, you know,
[01:59.800 --> 02:01.560]  else you should be referring to.
[02:03.360 --> 02:05.140]  Sorry, I'm checking the stream again.
[02:05.480 --> 02:07.300]  Making sure it's working just fine.
[02:10.060 --> 02:12.400]  Sorry. Sunday live stream.
[02:12.400 --> 02:13.480]  Okay, perfect.
[02:13.780 --> 02:16.860]  So, the output's a bad example because the source of funds
[02:16.860 --> 02:19.780]  could either be going in or out of a transaction.
[02:19.780 --> 02:21.240]  So, it definitely is misleading.
[02:21.860 --> 02:26.160]  With Bitcoin, outputs do have connections to addresses, however.
[02:26.160 --> 02:29.880]  You would have, you know, a specific source of funds
[02:29.880 --> 02:32.300]  that is tied to a public address,
[02:32.300 --> 02:35.280]  and you would be able to search that on the blockchain.
[02:35.280 --> 02:40.860]  However, for Monero, you need to not think of outputs as tied to addresses.
[02:40.860 --> 02:43.940]  You'll see a specific output on the blockchain.
[02:44.120 --> 02:49.220]  You should think about these having ties to the date they were created,
[02:49.220 --> 02:52.000]  not to the address that they are associated with.
[02:52.000 --> 02:57.020]  Because, of course, with Monero, we do not have addresses to concern ourselves with.
[02:57.020 --> 02:59.600]  Sure, you send and receive funds with addresses,
[02:59.600 --> 03:04.440]  but the blockchain, from a, you know, perspective of what it shares publicly,
[03:04.440 --> 03:06.660]  does not reveal addresses anywhere.
[03:06.660 --> 03:11.140]  They are never present, so, therefore, do not think of outputs as addresses.
[03:11.140 --> 03:14.420]  Think of them as containers of funds that are single-use.
[03:14.480 --> 03:16.780]  It's important that you understand what an output is
[03:16.780 --> 03:19.680]  before I go through the rest of this presentation.
[03:20.740 --> 03:23.340]  Okay, next, what are ring signatures?
[03:23.340 --> 03:29.280]  Well, ring signatures are an important privacy feature of Monero
[03:29.280 --> 03:31.520]  that obfuscates the source of funds.
[03:31.520 --> 03:36.160]  They're often, you know, inconsiderately referred to as mixing,
[03:36.160 --> 03:40.700]  but it really is very, very different than a Bitcoin mixing process.
[03:40.700 --> 03:45.400]  So, the idea is, if you want to spend one of your sources of funds,
[03:45.400 --> 03:48.600]  let's say you go to a store with a $10 bill and a $5 bill,
[03:48.600 --> 03:54.300]  and you want to spend $11, of course, you would give the teller both bills,
[03:54.300 --> 03:57.040]  and they would give you $4 back in change.
[03:57.540 --> 04:00.480]  So, in this case, what you would do is you take your Monero output,
[04:00.480 --> 04:03.140]  which contains a certain number of Monero,
[04:03.140 --> 04:05.740]  and you would include it in a single ring,
[04:05.740 --> 04:09.740]  and then you would include other possible outputs,
[04:09.740 --> 04:12.400]  which we call decoys in Monero.
[04:12.400 --> 04:14.660]  These are not money that you're actually spending,
[04:14.660 --> 04:18.960]  but funds that you ideally convincingly seem to spend,
[04:18.960 --> 04:21.060]  and you include them all in this one ring.
[04:21.060 --> 04:22.720]  So, you would say, in the top example there,
[04:22.720 --> 04:29.880]  that perhaps the Monero transaction would conceivably spend one of these 11 outputs.
[04:29.880 --> 04:33.060]  Only one is actually spent, but the outside observer does not know
[04:33.060 --> 04:35.300]  which source of funds is actually being spent.
[04:35.300 --> 04:39.760]  However, granted, we're able to verify that someone is actually spending funds
[04:39.760 --> 04:40.740]  that they have the right to.
[04:40.740 --> 04:43.460]  They're not just pretending to spend other people's money,
[04:43.460 --> 04:44.780]  because that would be absurd.
[04:46.160 --> 04:48.740]  So, if a transaction is trying to spend two bills,
[04:48.740 --> 04:51.040]  like I described in the $10 and $5 case,
[04:51.040 --> 04:52.680]  there would be two ring signatures.
[04:52.680 --> 04:53.880]  Two independent amounts.
[04:53.880 --> 04:56.840]  They're each spending one of these piggy banks, let's say.
[04:57.120 --> 05:01.320]  And for each piggy bank, we grab 10 other piggy banks,
[05:01.320 --> 05:02.880]  and we say, hey, that might be a source.
[05:02.880 --> 05:04.640]  That might be where the money is coming from.
[05:04.640 --> 05:08.820]  And an outside observer, ideally, would not know any better.
[05:08.820 --> 05:11.640]  However, a ton of Monero research and history has shown
[05:11.640 --> 05:16.560]  that in many cases, people are able to learn information
[05:16.560 --> 05:20.820]  more than what we expect, based off how these inputs are selected.
[05:20.820 --> 05:25.020]  One of these is whether or not outputs are coin-based outputs or not,
[05:25.020 --> 05:27.700]  which is an additional point of metadata that you can use
[05:27.700 --> 05:33.380]  to determine whether or not an individual is convincingly spending certain outputs.
[05:33.380 --> 05:37.340]  So, what are coin-based outputs?
[05:37.340 --> 05:40.140]  And of course, just to get it out of the way,
[05:40.140 --> 05:44.860]  I should very clearly state that coin-based outputs, in this example,
[05:44.860 --> 05:51.360]  are not in reference to outputs that are associated with coin-based decentralized exchange.
[05:51.360 --> 05:52.780]  Not at all.
[05:52.780 --> 06:00.120]  Coin-based outputs refer to the idea of money that is from the block reward.
[06:00.120 --> 06:03.480]  So, if you are taking coins and you successfully...
[06:03.480 --> 06:07.020]  Sorry, not taking coins, but if you successfully mine a block, let's say,
[06:07.020 --> 06:12.500]  you have the right to make yourself a coin-based output that consists of a few things.
[06:12.500 --> 06:15.280]  It consists of the block reward.
[06:15.280 --> 06:17.840]  This is basically money that's coming out of thin air,
[06:17.840 --> 06:22.300]  but it's coming out of thin air according to a very set, regulated process
[06:22.700 --> 06:24.420]  that the network agrees on.
[06:24.620 --> 06:28.080]  Dr. Daniel Kim talked about this in the earlier talk, of course.
[06:28.080 --> 06:32.060]  And then, of course, you are able to pull in the transaction fees
[06:32.060 --> 06:35.660]  that people say that you're entitled to include if people mine them.
[06:35.660 --> 06:38.260]  Of course, fees are included as an incentive for people
[06:38.260 --> 06:41.920]  to choose certain transactions over others.
[06:41.920 --> 06:43.600]  And of course, in Monero's case,
[06:43.600 --> 06:46.940]  they help compensate for the decreased block reward
[06:46.940 --> 06:51.320]  if you are putting in a substantial number of transactions.
[06:51.380 --> 06:53.600]  So, those are coin-based outputs.
[06:53.600 --> 06:56.480]  Again, not coin-based the exchange.
[06:56.480 --> 07:02.380]  Coin-based outputs refer to outputs that are generated with the mining process.
[07:02.380 --> 07:05.940]  If a coin, let's say, used proof-of-stake or something,
[07:05.940 --> 07:07.880]  it would be through the staking process.
[07:07.880 --> 07:11.860]  But really, you can think of it as coins that are generated new into the system
[07:11.860 --> 07:17.160]  or based off whoever the person who is authorized to sign the transaction,
[07:17.160 --> 07:21.080]  in this case, sign the block, sorry, which would be the miner.
[07:21.280 --> 07:25.040]  So, you can see I have sets of piggy banks going through here
[07:25.680 --> 07:27.500]  just to try and simplify things.
[07:27.500 --> 07:32.420]  But on the left there, that's the initial source of funds in the piggy bank.
[07:32.420 --> 07:34.200]  Those are generated from the block reward.
[07:34.200 --> 07:35.920]  They are highlighted, that yellow there.
[07:35.920 --> 07:40.260]  And then the funds, in all actuality, are passed along further.
[07:40.260 --> 07:42.780]  Their histories are no longer coin-based outputs.
[07:42.780 --> 07:46.260]  They're other outputs, non-coin-based outputs, let's say.
[07:46.800 --> 07:51.260]  Of course, just because Monero is Monero,
[07:51.260 --> 07:53.060]  and we obfuscate all this information,
[07:53.060 --> 07:57.020]  you don't necessarily know that there's this nice, lovely, straight line going through.
[07:57.020 --> 07:59.780]  In all actuality, it looks super, super messy
[07:59.780 --> 08:02.560]  and really looks like this nonsense,
[08:02.560 --> 08:06.140]  where transactions may appear to go a bunch of different ways, of course,
[08:06.140 --> 08:08.060]  but that's not the point of this talk.
[08:08.640 --> 08:11.780]  Instead, we're going to talk about who the actual money printers are.
[08:11.780 --> 08:16.320]  Who has the ability to print money in Monero?
[08:16.320 --> 08:18.080]  Those are the miners.
[08:18.220 --> 08:20.820]  Here is a chart showing who the miners are.
[08:20.820 --> 08:25.860]  You can see that minexmr and supportxmr are the two dominant pools on the Monero network.
[08:25.860 --> 08:27.020]  But you have a few others.
[08:27.020 --> 08:33.020]  You have ones like xmrpool, f2pool, nanopool, smallpools, 2miners.
[08:33.120 --> 08:37.740]  Smallpools consists of a substantial number of really small pools
[08:37.740 --> 08:40.920]  that, in sum, equal 7% of the total network.
[08:40.920 --> 08:44.160]  And then you have that 5% of unknown.
[08:44.340 --> 08:50.800]  So this is something that minexmr is not able to associate with a specific mining pool.
[08:50.800 --> 08:52.880]  These can be solo miners.
[08:52.880 --> 08:55.160]  These can be private pools.
[08:55.200 --> 09:00.820]  Ultimately, it's just network hash rate that's coming out of an unknown situation
[09:00.820 --> 09:04.440]  from people that might either just not bother sharing information publicly
[09:04.440 --> 09:07.380]  or care about mining privately or who knows what.
[09:07.880 --> 09:11.380]  So these are who the money printers are in Monero.
[09:12.380 --> 09:16.640]  And a lot of them reveal a lot of information for quite a few reasons.
[09:16.640 --> 09:19.640]  We have a breaking Monero episode about public mining pool data
[09:19.640 --> 09:21.980]  that I strongly recommend you watch.
[09:22.080 --> 09:26.540]  But supportxmr, for example, they show the list of all the blocks that they mine.
[09:26.540 --> 09:36.720]  So if someone appears to spend a coinbase output that you know was mined by supportxmr,
[09:36.720 --> 09:40.580]  the only convincing way that that output could have actually been spent in that transaction
[09:40.580 --> 09:44.600]  is if it was supportxmr actually spending it.
[09:44.600 --> 09:50.880]  So if your friend, for example, sent you a transaction that spent funds
[09:50.880 --> 09:54.580]  that supportxmr publicly describes as mining,
[09:55.180 --> 10:02.800]  your friend either better run supportxmr or they are not actually sending you that money.
[10:02.800 --> 10:05.480]  That's a fake decoy and it's known to you to be fake
[10:05.480 --> 10:08.780]  given the information that the public mining pool publishes.
[10:08.780 --> 10:13.960]  So I put it red there because it does reveal a pretty substantial amount of metadata.
[10:14.780 --> 10:17.640]  Most pools will show the blocks they mine.
[10:17.640 --> 10:22.240]  I only looked up supportxmr, minexmr, and nanopool because they're the largest,
[10:22.240 --> 10:24.840]  but this continues for many pools.
[10:24.840 --> 10:28.160]  Minexmr also shows the blocks mined, so does nanopool.
[10:28.340 --> 10:33.300]  And then a few also reveal information about what transactions they make to users.
[10:33.300 --> 10:42.640]  And as I show in other talks, this allows outsiders to pretty reliably form a list
[10:42.640 --> 10:46.860]  of all transactions, really all outputs that the pool has controlled.
[10:46.860 --> 10:51.420]  So as a result, supportxmr does not actually show the specific payouts
[10:51.420 --> 10:54.520]  as far as the transactions are concerned.
[10:54.520 --> 10:57.680]  They don't say, this is the specific transaction we sent.
[10:57.680 --> 11:00.780]  Instead they say, we sent this much money,
[11:00.780 --> 11:03.560]  which is much better than revealing the exact transactions,
[11:03.560 --> 11:05.240]  it makes things much more difficult,
[11:05.240 --> 11:12.580]  but it still likely incurs possible limitations related to timing attacks,
[11:12.580 --> 11:16.500]  where, okay, well, what if it's the only transaction that gets mined
[11:16.500 --> 11:17.640]  around this time period?
[11:17.640 --> 11:19.220]  Well, then it would be more visible.
[11:19.220 --> 11:22.240]  It still reveals more information, but it's not as bad.
[11:22.340 --> 11:25.560]  Nanopool, for example, shows all payout details.
[11:25.560 --> 11:28.280]  You can see who the specific miners are.
[11:28.280 --> 11:32.040]  You can see how the payments are specifically made.
[11:32.040 --> 11:35.360]  You can see the exact Monero transactions that go to these users.
[11:35.360 --> 11:37.840]  So they reveal a ton of information.
[11:37.840 --> 11:42.400]  So within, you know, Nanopool, they are making a lot of information public.
[11:42.720 --> 11:46.800]  Minexmr is only showing payouts to users that are the actual miners.
[11:46.800 --> 11:48.540]  You have to put in your mining address first,
[11:48.540 --> 11:51.940]  and then it will show what payouts were made.
[11:51.940 --> 11:55.460]  This makes it more difficult for someone who's trying to track
[11:55.460 --> 11:58.200]  this sort of information, reveal a lot of information,
[11:58.780 --> 12:03.460]  learn a lot about pool-held outputs.
[12:04.400 --> 12:06.480]  So this is really who the money printers are.
[12:06.480 --> 12:08.480]  But of course, you also have this unknown portion here
[12:08.480 --> 12:10.920]  that I talked about, like who these potentially could be.
[12:10.920 --> 12:14.040]  Well, we really do not, to all intents and purposes,
[12:14.040 --> 12:16.280]  know anything about who's mining these funds.
[12:16.280 --> 12:20.140]  But at the maximum, this unknown refers to, again,
[12:20.140 --> 12:24.560]  the maximum amount of solo miners or private miners
[12:24.560 --> 12:26.360]  that might be potentially impacted
[12:26.360 --> 12:30.460]  if we start meddling with Coinbase outputs,
[12:30.460 --> 12:33.820]  because clearly these mining pools don't really care
[12:33.820 --> 12:35.220]  about revealing information publicly,
[12:35.220 --> 12:38.680]  because they have done so for ages and continue to do so.
[12:38.680 --> 12:41.060]  So the only people that do care about their privacy
[12:41.060 --> 12:43.120]  from this perspective happen to actually be those
[12:43.120 --> 12:47.660]  that are mining in unknown pools or solo mining, right?
[12:48.340 --> 12:52.580]  So we need to talk about who actually owns these outputs.
[12:52.580 --> 12:54.780]  Who is the one that's actually likely to spend,
[12:54.780 --> 12:56.760]  control, et cetera, these outputs?
[12:56.760 --> 13:01.940]  Well, Coinbase outputs are only spent by two groups of people,
[13:01.940 --> 13:05.240]  mining pools or people that are solo mining
[13:05.240 --> 13:07.320]  or mining on a private pool.
[13:07.460 --> 13:10.320]  And there's only about 10 total mining pools
[13:10.320 --> 13:14.360]  that consistently mine blocks.
[13:14.600 --> 13:17.480]  And for solo miners, there aren't that many of those either.
[13:17.480 --> 13:20.460]  There's a relatively small number, let's say.
[13:21.460 --> 13:23.780]  Well, there's also the next set.
[13:23.780 --> 13:27.740]  So instead of just funds that come from Coinbase,
[13:27.740 --> 13:31.580]  there's also, okay, what's the from Coinbase outputs, let's say?
[13:31.580 --> 13:33.980]  The next set. Once they're spent from Coinbase,
[13:33.980 --> 13:38.020]  who convincingly may actually hold these outputs?
[13:38.020 --> 13:41.700]  Well, it's still the mining pools, because mining pool mines a block,
[13:41.700 --> 13:45.780]  they send a transaction to someone, the Coinbase output,
[13:45.780 --> 13:49.760]  and then they receive change back to the mining pool.
[13:49.760 --> 13:51.640]  So they still will hold on to these blocks.
[13:51.640 --> 13:56.020]  So they are convincing holders of the from Coinbase outputs.
[13:56.720 --> 13:59.780]  But solo miners are still also convincing holders.
[13:59.780 --> 14:03.740]  But really, the extra layer of protection for users comes in the idea
[14:03.740 --> 14:07.220]  that pool miners, not just the pool operators,
[14:07.220 --> 14:12.920]  but the pool miners are likely recipients of these from Coinbase outputs.
[14:12.920 --> 14:15.560]  Because a mining pool, again, will mine a block,
[14:15.560 --> 14:17.520]  and they'll send a payout to someone.
[14:17.520 --> 14:19.140]  They need to send that payment somehow.
[14:19.140 --> 14:21.180]  So they need to spend that Coinbase output.
[14:21.180 --> 14:26.560]  They might give the output that's generated next to specific users.
[14:26.560 --> 14:31.100]  And so therefore, the entropy set of who actually may touch these outputs,
[14:31.100 --> 14:35.760]  even though on chain, it's only one level away from the mining,
[14:35.760 --> 14:38.680]  so the Coinbase outputs, in all actuality,
[14:38.680 --> 14:43.040]  holding one of these outputs covers a much wider scope of activity.
[14:43.040 --> 14:44.400]  And so it's much more convincing.
[14:44.400 --> 14:51.240]  If your friend, let's say, sends you a decoy that includes one of these outputs,
[14:51.240 --> 14:56.020]  they perhaps might have just been mining with their laptop on a mining pool
[14:56.020 --> 14:58.620]  and eventually got a tiny fraction of a payout.
[14:58.620 --> 15:00.060]  That's possible.
[15:00.060 --> 15:04.200]  That's certainly much more possible than them sending you an actual Coinbase output.
[15:04.200 --> 15:07.380]  It's completely different. It's much, much more convincing.
[15:07.460 --> 15:11.440]  So it's important to consider who actually touches these outputs.
[15:11.440 --> 15:14.740]  And this wraps around to the scope of the talk or name of the talk again
[15:14.740 --> 15:18.360]  in saying that, are you a convincing money printer?
[15:18.360 --> 15:22.040]  Are you a convincing person to actually touch these initial Coinbase outputs?
[15:22.040 --> 15:25.480]  For the vast majority of people, the answer is no.
[15:25.480 --> 15:30.040]  Very, very few predictable people are the ones that typically touch these Coinbase outputs.
[15:30.720 --> 15:32.400]  So what can we do?
[15:32.520 --> 15:35.680]  Well, we can handle Coinbase outputs differently.
[15:35.680 --> 15:37.620]  We can optionally decide to say,
[15:37.620 --> 15:43.760]  hey, we would like Coinbase rings to remain separate from non-Coinbase rings.
[15:43.760 --> 15:46.700]  One thing we can also do with consensus changes
[15:46.700 --> 15:52.040]  is say that Coinbase rings must be a certain size
[15:52.040 --> 15:54.560]  and non-Coinbase rings must be a certain size.
[15:54.560 --> 15:56.680]  Of course, for Minero transactions right now,
[15:56.680 --> 16:00.540]  we mandate a ring size of 11 for all transactions,
[16:00.540 --> 16:04.040]  whether they're spending Coinbase outputs or not spending Coinbase outputs.
[16:04.040 --> 16:09.000]  But we could say, well, since there's so much information available public anyway
[16:09.000 --> 16:12.820]  for Coinbase outputs because mining pools make so much information public,
[16:12.820 --> 16:17.200]  we can instead say, well, let's just say that these can have a smaller ring size.
[16:17.200 --> 16:18.960]  We'll drop them down to three.
[16:18.960 --> 16:23.000]  We will inform network participants that Coinbase outputs themselves
[16:23.000 --> 16:26.380]  are not reasonably protected because, you know,
[16:26.380 --> 16:29.180]  it's predictable to figure out who actually owns them.
[16:29.720 --> 16:34.380]  So therefore, we can save transaction efficiency,
[16:34.380 --> 16:37.220]  you know, network efficiency for these specific outputs.
[16:37.300 --> 16:40.680]  And those who are actually solo mining or mining on private pools
[16:40.680 --> 16:45.620]  will just be told, well, don't specifically send these funds you generate to someone else.
[16:45.620 --> 16:47.820]  You will at least want one level of separation.
[16:47.820 --> 16:50.920]  So you include a much wider scope of activity there.
[16:51.640 --> 16:54.540]  And then, of course, with a non-Coinbase ring, we can say,
[16:54.540 --> 16:57.480]  oh, well, we can keep this at size 11, let's say,
[16:57.480 --> 17:02.160]  or maybe we can pop it up to size 12 or 13,
[17:02.160 --> 17:06.000]  just to take advantage of those additional efficiency benefits.
[17:06.060 --> 17:09.680]  So the network overall is still as efficient as it was before to verify.
[17:09.820 --> 17:12.500]  But the users who do care about privacy are actually getting it.
[17:12.500 --> 17:18.260]  And the people who don't care are not having efficiency wasted on them in a way.
[17:19.380 --> 17:21.100]  So, yeah, again, in the Coinbase rings,
[17:21.100 --> 17:24.740]  the only ones that actually would construct these are mining pools and solo miners.
[17:24.740 --> 17:26.400]  For the non-Coinbase rings,
[17:26.400 --> 17:28.620]  these would be constructed by everyone,
[17:28.620 --> 17:31.380]  including mining pools and solo miners, of course.
[17:31.380 --> 17:33.340]  So the whole network is constructing these,
[17:33.340 --> 17:35.740]  but we can make separate rules for Coinbase rings.
[17:35.740 --> 17:39.780]  And that might be warranted if network activities suggest
[17:39.780 --> 17:42.760]  that it will actually be impacting certain users' behavior.
[17:43.860 --> 17:47.480]  So Serang Noether looked at the actual spend distribution
[17:47.480 --> 17:50.520]  of Coinbase and non-Coinbase outputs in Monero.
[17:50.520 --> 17:53.200]  Now, granted, the only way we were actually able to look at these
[17:53.200 --> 17:57.520]  is by looking at Monero's traceable old history.
[17:57.520 --> 17:59.620]  So Monero from 2014 to 2017
[18:00.340 --> 18:03.720]  definitely did not have very strong ring signature protections.
[18:03.800 --> 18:09.180]  And so we were able to determine when certain outputs were spent.
[18:09.180 --> 18:10.700]  And then we, you know, Dr. Serang Noether
[18:10.700 --> 18:15.460]  broke them down to whether or not they were Coinbase or non-Coinbase outputs.
[18:15.460 --> 18:18.620]  And as you can see, there's very little difference.
[18:18.620 --> 18:20.960]  So we have the option, too, to say,
[18:20.960 --> 18:23.480]  oh, well, we can have different time selection periods
[18:23.480 --> 18:27.560]  for whether or not we're selecting decoys for Coinbase or non-Coinbase rings.
[18:27.560 --> 18:31.000]  But the evidence so far shows that there's no need to actually do this.
[18:31.000 --> 18:32.860]  But if there was a need to do that,
[18:32.860 --> 18:36.260]  then the benefit to overall privacy for people would be far greater
[18:36.260 --> 18:40.960]  because we're able to segregate by this required point of network metadata,
[18:40.960 --> 18:44.380]  whether or not an output is a Coinbase output or not.
[18:44.440 --> 18:45.860]  So just something to think about.
[18:45.860 --> 18:48.540]  That's something we can do, but there's no need to,
[18:48.540 --> 18:50.720]  given current research so far.
[18:51.660 --> 18:55.280]  So I know the point of the talk is like, you know, why we should.
[18:55.520 --> 18:58.100]  But ultimately, one of the big takeaways I want is
[18:58.100 --> 19:00.100]  you don't need to panic as a result of this.
[19:00.100 --> 19:01.920]  Coinbase outputs are increasingly rare
[19:01.920 --> 19:05.860]  as a proportion of total network activity.
[19:05.860 --> 19:07.580]  And ring sizes are pretty large already,
[19:07.580 --> 19:11.180]  and they will most likely get substantially larger in the future.
[19:11.300 --> 19:16.000]  So looking at some transaction data on total number of transactions per block,
[19:16.000 --> 19:18.520]  there are about two outputs per transaction.
[19:18.520 --> 19:19.480]  Or at least two.
[19:19.480 --> 19:22.340]  So actually the average is a little bit more than two.
[19:22.340 --> 19:25.020]  But to all intents and purposes, let's just consider it two.
[19:25.120 --> 19:28.000]  Over the past month, year,
[19:28.000 --> 19:31.260]  there's been about 13 Monero transactions per block,
[19:31.260 --> 19:32.180]  which is quite a bit.
[19:32.180 --> 19:35.560]  A lot more than in Monero's early history.
[19:35.600 --> 19:39.820]  So that means 13 transactions times two outputs per transaction.
[19:39.960 --> 19:43.560]  We're generating 26 outputs per block
[19:43.560 --> 19:45.920]  just by non-Coinbase related transactions.
[19:45.920 --> 19:48.380]  And then, of course, we have that one Coinbase output
[19:48.380 --> 19:50.280]  that's being generated per block.
[19:50.280 --> 19:54.020]  So really, the total proportion of Coinbase outputs
[19:54.020 --> 19:57.500]  that are being generated is a pretty low 3.7%.
[19:57.500 --> 19:59.340]  So all things being equal,
[19:59.340 --> 20:02.070]  if you are selecting decoys from the blockchain,
[20:02.700 --> 20:05.040]  the likelihood you're going to choose a new Coinbase output
[20:05.040 --> 20:08.060]  is much lower than choosing a non-Coinbase output.
[20:08.060 --> 20:11.040]  In the past, with a smaller transaction amount,
[20:11.040 --> 20:17.880]  this used to be closer to 20% even a year or so ago.
[20:17.880 --> 20:18.900]  So it really has changed
[20:18.900 --> 20:21.260]  with the additional adoption of Monero activity.
[20:21.260 --> 20:23.060]  That is really what has changed.
[20:23.200 --> 20:25.240]  The discussion here is based off
[20:25.240 --> 20:27.340]  Monero having far more transactions
[20:28.020 --> 20:33.840]  that will make the absolute impact of Coinbase outputs,
[20:35.380 --> 20:37.780]  the proportional impact be small
[20:37.780 --> 20:40.200]  and absolute for each transaction be smaller too.
[20:40.200 --> 20:43.680]  So that's pretty exciting to think about.
[20:43.680 --> 20:46.620]  Also, large ring sizes still minimize.
[20:46.900 --> 20:50.300]  Like pretty much for all things Monero attack related,
[20:50.300 --> 20:51.580]  one solution is always,
[20:51.580 --> 20:53.020]  well, why don't we just bump the ring size?
[20:53.020 --> 20:54.120]  Just increase the ring size,
[20:54.120 --> 20:56.380]  just keep bumping the ring size, right?
[20:56.380 --> 20:58.580]  So with the current situation,
[20:58.580 --> 21:00.620]  you have 11 ring members
[21:00.620 --> 21:02.300]  and on average, you're probably going to select
[21:02.300 --> 21:06.120]  one or zero Coinbase outputs per transaction.
[21:06.120 --> 21:08.980]  Again, it used to be more like one to three,
[21:08.980 --> 21:10.300]  but really at the moment,
[21:10.300 --> 21:13.160]  it's zero or one for most transactions.
[21:13.160 --> 21:14.120]  So you can say that,
[21:14.120 --> 21:16.660]  oh, well, if one Coinbase output is selected,
[21:16.660 --> 21:18.580]  really, unless you know that they're a miner,
[21:19.220 --> 21:20.580]  a mining pool operator,
[21:20.580 --> 21:21.640]  not even just a miner,
[21:21.640 --> 21:23.780]  the effective ring size is actually 10.
[21:23.780 --> 21:25.140]  It's reduced by one.
[21:25.620 --> 21:29.420]  Well, if we do not segregate Coinbase rings,
[21:29.420 --> 21:32.140]  well, we still will have a proportional scale
[21:32.140 --> 21:34.240]  where the total proportion of Coinbase outputs
[21:34.240 --> 21:35.340]  are still going to be selected
[21:35.340 --> 21:37.900]  for even larger ring sizes.
[21:37.900 --> 21:40.980]  And so more outputs are going to be compromised,
[21:40.980 --> 21:42.360]  but ultimately at the end of the day,
[21:42.360 --> 21:44.760]  the effective ring size is still going to increase
[21:44.760 --> 21:46.440]  quite substantially, right?
[21:46.440 --> 21:50.320]  Where, you know, the difference between 128 and 116
[21:50.320 --> 21:53.820]  is far lower, even though it's a proportional same,
[21:53.820 --> 21:56.160]  than the difference between 11 and 10, right?
[21:56.420 --> 22:00.120]  The actual decoy difference is much bigger
[22:00.120 --> 22:03.800]  in practice for smaller numbers than bigger numbers.
[22:03.800 --> 22:09.380]  So in conclusion, you are not the money printer, right?
[22:09.380 --> 22:11.600]  You are not actually spending Coinbase outputs.
[22:11.600 --> 22:13.360]  There's no convincing way that you would ever
[22:13.360 --> 22:15.080]  control these for any reason.
[22:15.540 --> 22:18.860]  But this only materially matters
[22:18.860 --> 22:22.000]  if Monero has small adoption.
[22:22.000 --> 22:28.600]  If Monero has only a handful of transactions per block,
[22:28.600 --> 22:30.780]  then yes, it does matter.
[22:30.780 --> 22:32.200]  The proportion of Coinbase outputs
[22:32.200 --> 22:34.180]  would be quite significant.
[22:34.240 --> 22:37.380]  However, if you have the tune of dozens of Monero transactions
[22:37.720 --> 22:40.220]  per block on average, then really,
[22:40.220 --> 22:44.160]  Coinbase outputs aren't getting in the way that much.
[22:44.160 --> 22:45.360]  They just aren't.
[22:45.740 --> 22:49.520]  So, you know, the most important thing
[22:49.520 --> 22:53.400]  for resolving this problem is making sure
[22:53.400 --> 22:55.220]  that Coinbase outputs are rare,
[22:55.220 --> 22:58.020]  proportional to the total number of transactional nodes.
[22:58.020 --> 23:00.680]  And really, the total number of Coinbase outputs
[23:00.680 --> 23:02.560]  is not changing per day.
[23:02.560 --> 23:04.040]  That's like stagnant.
[23:04.040 --> 23:06.860]  Every two minutes on average, a block is going to be mined.
[23:06.860 --> 23:08.000]  That's predictable.
[23:08.000 --> 23:10.180]  So network activity for all other transactions
[23:10.480 --> 23:16.060]  needs to be substantial in order to cover users, right?
[23:18.160 --> 23:23.760]  So really, we should, in my opinion,
[23:23.760 --> 23:26.000]  still separate Coinbase outputs.
[23:26.000 --> 23:30.020]  Because in all reality, if you see a transaction still
[23:30.020 --> 23:34.260]  that appears to spend a Coinbase output,
[23:34.260 --> 23:36.500]  the likelihood it actually is spending this
[23:36.500 --> 23:37.820]  is very, very low.
[23:37.860 --> 23:38.820]  Very, very low.
[23:38.820 --> 23:40.240]  It's not super likely.
[23:40.500 --> 23:42.320]  So we should still separate it.
[23:42.320 --> 23:43.500]  But at the end of the day,
[23:43.500 --> 23:47.580]  it's also not the end of the world if we don't.
[23:47.580 --> 23:50.560]  And so that's one of those good problems to have, I guess.
[23:50.560 --> 23:54.020]  And then as ring sizes increase too,
[23:54.760 --> 23:57.160]  you likely will have, or you also will have
[23:57.160 --> 24:00.260]  an increase in the absolute protection
[24:00.260 --> 24:02.560]  provided by the rings anyway,
[24:02.560 --> 24:04.520]  even if a few of them are going to be selecting
[24:04.520 --> 24:08.280]  from these toxic Coinbase output pools.
[24:08.460 --> 24:13.160]  So ultimately, that's the main takeaway from this whole talk.
[24:14.120 --> 24:17.380]  OK, so if you want to get more educated on Monero,
[24:17.380 --> 24:19.360]  learn more, get started, join the communities,
[24:19.360 --> 24:22.140]  you can get educated by going to masteringmonero.com.
[24:22.140 --> 24:24.320]  You can get to read a free book there, buy a print version.
[24:24.320 --> 24:25.780]  You can go to moneromeans.money
[24:25.780 --> 24:30.440]  and watch a movie that Dr. Daniel Kim was the star in.
[24:30.440 --> 24:34.000]  It was actually number one box office in the United States for two days
[24:34.000 --> 24:38.200]  and number two for the week and weekend back in April.
[24:38.440 --> 24:42.080]  You can download cakewallet.com and get the app there.
[24:42.080 --> 24:44.260]  You can go to getmonero.org and download that wallet.
[24:44.260 --> 24:46.680]  There's also other great wallets like Monerubio you can download
[24:46.680 --> 24:48.880]  or you can join the Monero communities.
[24:49.040 --> 24:52.200]  The Monero community workgroup is communityworkgroup.org.
[24:52.200 --> 24:55.500]  It will actually be changing shortly to monerocommunity.org.
[24:55.500 --> 24:58.440]  And the other communities are listed on getmonero.org.
[24:58.440 --> 25:03.240]  My specific information is, you know, contact there at above.
[25:03.340 --> 25:06.480]  I just really was interested in Coinbase outputs
[25:06.480 --> 25:10.040]  and felt that it was necessary to have a talk about them at some point.
[25:10.040 --> 25:14.360]  I know it's kind of niche, but it's important to think about
[25:14.360 --> 25:16.860]  certain points of metadata on the Monero blockchain
[25:16.860 --> 25:19.920]  and then try and connect these points of metadata to user behavior
[25:19.920 --> 25:27.120]  to see if anything is revealing and will potentially degrade Monero privacy.
[25:27.120 --> 25:30.960]  So it's important to think about these things going forward.
[25:30.960 --> 25:32.280]  All right, that's the end of my talk.
[25:32.280 --> 25:33.940]  We have some wonderful other talks coming up.
[25:33.940 --> 25:36.360]  So I'm going to hand it off to the rest of the Monero village
[25:36.360 --> 25:39.000]  and hope you enjoy the rest of your time here.
[25:39.000 --> 25:39.640]  Take care.
